Generating a key pair is possible and easy by using the standard KeyPairGenerator also implemented by SunPKCS11.

Generating a PKCS10 certificate request is also possible and easy, although it entails using the sun.security package.

At this point, one would assume that the worst is over, as the last required operation is installing the certificate received from the certification authority. Alas, the SunPKCS11 provider seems to prevent such a basic operation.
The setCertificateEntry() method implemented by the SunPKCS11 provider, via the P11KeyStore class, just refuses to install a normal end-entity certificate -- and this is documented! Absolutely nonsensical.

Have you found the solution for this problem? I also having the same problem with you. The more strange thing for me is that I can't even use the P11KeyStore though I can find this class in sunpkcs11.jar. Please advice. I am meeting my deadline right now.